Re: FR 1.1.7 + AD 2003 + LDAP
Just me again, User has reset there password the usual way however we are still getting fail login. Anyone with an idea or what I can provide to help solve this puzzle? Thx Thu May 1 09:07:33 2008 : Auth: Login incorrect: [brebberm/] (from client 10.0.1.12 port 60035 cli 00-14-22-5A-D5-CD) Thu May 1 09:08:43 2008 : Auth: Login incorrect (rlm_mschap: Account locked out (0xc234)): [BrebberM/] (from client localhost port 0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hello Everyone, So in my world we have been able to diagnose that the authentication issue is related to the username case (only difference in Radius) and I have not found anything other than a statement in an old post from Alan about AD being case sensitive with usernames? Is there any information somewhere to help me correct this? Usernames have for as long as I can remember not been case sensitive. Thanks Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/] (from client localhost port 0) Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/] (from client localhost port 0) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:37:24 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc06d)): [brooksk/] (from client localhost port 0) Thu May 1 08:37:24 2008 : Auth: Login incorrect: [brooksk/] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:41:39 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc06d)): [brooksk/] (from client localhost port 0) Thu May 1 08:41:39 2008 : Auth: Login incorrect: [brooksk/] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hello, Looks like the kerberos was only a piece to the puzzle. When a user enters the 14 day period prior to being required to change password, windows XP is changing the password of the user in some way that deauthenticates the user. any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hello Mr. DeKok, I wanted to say thank you, FreeRadius is the best, there is not better when it comes to radius. On to topic, I believe we have found the issue. It may be related to kerberos tickets and krb5.conf file were I had the realm in lower case. Found documentation that indicated it MUST be in upper case. In the wiki :) Just didn't think it would materialize into this type of problem. I will report back if this is has been rectified by the change of case for the realm. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hi, > I'm really surprised at this issue. Something like this really puts me on > the spot to have to bring up an IAS in order to deal with the password > issue. I hate windoze but I though more than a handful of us would be > running into this issue since I see there are a lot of freeradius + AD > deployments. > > anyone else run into this issue and find a fix? yes, dont run windows clients ;-) seriously, IAS is next to useless as a cross platform, proxying, accounting and controllable RADIUS solution. install it if you want but dont come here asking questions about it :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Charlie B wrote: > I'm really surprised at this issue. Something like this really puts me > on the spot to have to bring up an IAS in order to deal with the > password issue. I hate windoze but I though more than a handful of us > would be running into this issue since I see there are a lot of > freeradius + AD deployments. (1) Are you sure it works with IAS? (2) Microsoft has gone to great effort to make sure that IAS has "magic" integration with Active Directory. One way to fix it may be to have a native Windows port of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Thanks Alan, I'm really surprised at this issue. Something like this really puts me on the spot to have to bring up an IAS in order to deal with the password issue. I hate windoze but I though more than a handful of us would be running into this issue since I see there are a lot of freeradius + AD deployments. anyone else run into this issue and find a fix? Thanks :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hi, > Charlie B wrote: >> Has no one else experienced this issue where reset password confuses >> WinXP? I really don't want to use IAS. Anyone ideas? > > Let me get this straight: You have machines in the domain, users doing > domain logins, and wired 802.1x using the domain credentials. When you > change a users password, the username/password cached on the client is no > longer valid, and they fall off the network. > > It's hard to see what else could happen; you've changed their password and > given the machine they're logged onto no way of knowing that. Why don't you > just let them change their password? > > Very likely many resources would continue to be accessible because the > credential cache includes a valid kerberos TGT but that isn't used for > 802.1x/MS-CHAP - it's the plain username/password. > > Whatever happens, the client machine would have to prompt the user for > their new username/password. > > Does this work with IAS? If so, it may be that there's an error code which > can be put in an MS-CHAP-Error attribute. However, very likely Samba would > have to generate the error code. > > In short, I don't think it's going to work any time soon. we see the same issue with using machine credentials for wireless login. the AD will update the password of the machine within the time frame set in the AD - for us, 90 days..and then when the client attempts to validate against AD, they have a small discussion to get things back into sync. On the wired this works as it seems that the client will do this over an 'open' link, however the partnering wont happen over an encrypted link(!) - go figure - perhaps to stop it happening over a PPTP VPN link when user is away from work? and therefore the next time the user tries to associate to wifi they cannot log in. the only fix is for them to plug into a wired socket... magically wifi works again. a fix? none that i have struggled to come up with i'm afraid. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hi Phil, You are dead on with what is going on however this is occurring when the user enters the 14 days prior to being required to change their password, and even when the user themselves are prompted to change. Just so its clear. When user enters two week prior to being required to change password, their password no longer allows access to network When user changes password when prompted, their denied access "Logon Failure" to the network We find we have to delete the registry key for the computer, since the logged on user key is removed by the system in order to correct the issue. Or we change the setup to have the user prompted to logon (balloon) rather than use the logged on credentials. In this case the same username and password combination works successfully. If there is anything else I can provide to find a solution please let me know, this is a real pain in *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Charlie B wrote: Has no one else experienced this issue where reset password confuses WinXP? I really don't want to use IAS. Anyone ideas? Let me get this straight: You have machines in the domain, users doing domain logins, and wired 802.1x using the domain credentials. When you change a users password, the username/password cached on the client is no longer valid, and they fall off the network. It's hard to see what else could happen; you've changed their password and given the machine they're logged onto no way of knowing that. Why don't you just let them change their password? Very likely many resources would continue to be accessible because the credential cache includes a valid kerberos TGT but that isn't used for 802.1x/MS-CHAP - it's the plain username/password. Whatever happens, the client machine would have to prompt the user for their new username/password. Does this work with IAS? If so, it may be that there's an error code which can be put in an MS-CHAP-Error attribute. However, very likely Samba would have to generate the error code. In short, I don't think it's going to work any time soon. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Has no one else experienced this issue where reset password confuses WinXP? I really don't want to use IAS. Anyone ideas? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
I guess I should add that this is a wired connection, not that this should change too much. Thank you again! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Thanks Ivan, We though there should be a key in the current logedon user as well, but all of our domain users don't have an entry in the registry, even though we have it check to cache the credentials. The only way we can produce this key is to have WinXP use the "prompt for credentials" balloon. 2008/4/7 Ivan Kalik <[EMAIL PROTECTED]>: > Wrong key: > > http://support.microsoft.com/kb/823731 > > Ivan Kalik > Kalik Informatika ISP > > > Dana 8/4/2008, "Charlie B" <[EMAIL PROTECTED]> piše: > > >Hello everyone, > > > >We have setup FreeRadius w/ Active Direcotry using LDAP and ntlm as per > the > >wiki and everything is working great save one item of concern. > > > >When our users are needing to reset their password or have reset their > >password ntlm fails > > > >I'm pretty certain that this is not a freeradius issue and I'm sorry to > post > >here however this would be the largest base for user whom may have > >experienced this issue > > > >We can correct the issue if we remove the registry key located > >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters however this > removes > >the 802.1x configuration for the machine. > > > > > >rlm_ldap: looking for check items in directory... > >rlm_ldap: looking for reply items in directory... > >rlm_ldap: user Raduser authorized to use remote access > >rlm_ldap: ldap_release_conn: Release Id: 0 > > > > > >rlm_mschap: Told to do MS-CHAPv2 for Raduser with NT-Password > >radius_xlat: Running registered xlat function of module mschap for string > >'User-Name' > >radius_xlat: '--username=Raduser' > >radius_xlat: Running registered xlat function of module mschap for string > >'Challenge' > > mschap2: 88 > >radius_xlat: '--challenge=5fb05b4d0e49743a' > >radius_xlat: Running registered xlat function of module mschap for string > >'NT-Response' > >radius_xlat: > >'--nt-response=abc64919a43a42c675c516ce59001bb4a3ef65d68f8de407' > >Exec-Program output: Logon failure (0xc06d) > >Exec-Program-Wait: plaintext: Logon failure (0xc06d) > >Exec-Program: returned: 1 > > rlm_mschap: External script failed. > > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > > modcall[authenticate]: module "mschap" returns reject for request 48 > >modcall: leaving group MS-CHAP (returns reject) for request 48 > > rlm_eap: Freeing handler > > modcall[authenticate]: module "eap" returns reject for request 48 > >modcall: leaving group authenticate (returns reject) for request 48 > >auth: Failed to validate the user. > >Login incorrect (rlm_mschap: Logon failure (0xc06d)): [Raduser/ >User-Password attribute>] (from client localhost port 0) > > > > > > > >freeradius-1.1.7-3.1 > >samba-3.0.28-0 > >samba-client-3.0.28-0 > >samba-common-3.0.28-0 > > > > > > > >Any help much appreciated, we currently running about 1500 users with > this > >setup and everything is great save the password issue. > > > >Thanks > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Wrong key: http://support.microsoft.com/kb/823731 Ivan Kalik Kalik Informatika ISP Dana 8/4/2008, "Charlie B" <[EMAIL PROTECTED]> piše: >Hello everyone, > >We have setup FreeRadius w/ Active Direcotry using LDAP and ntlm as per the >wiki and everything is working great save one item of concern. > >When our users are needing to reset their password or have reset their >password ntlm fails > >I'm pretty certain that this is not a freeradius issue and I'm sorry to post >here however this would be the largest base for user whom may have >experienced this issue > >We can correct the issue if we remove the registry key located >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters however this removes >the 802.1x configuration for the machine. > > >rlm_ldap: looking for check items in directory... >rlm_ldap: looking for reply items in directory... >rlm_ldap: user Raduser authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 > > >rlm_mschap: Told to do MS-CHAPv2 for Raduser with NT-Password >radius_xlat: Running registered xlat function of module mschap for string >'User-Name' >radius_xlat: '--username=Raduser' >radius_xlat: Running registered xlat function of module mschap for string >'Challenge' > mschap2: 88 >radius_xlat: '--challenge=5fb05b4d0e49743a' >radius_xlat: Running registered xlat function of module mschap for string >'NT-Response' >radius_xlat: >'--nt-response=abc64919a43a42c675c516ce59001bb4a3ef65d68f8de407' >Exec-Program output: Logon failure (0xc06d) >Exec-Program-Wait: plaintext: Logon failure (0xc06d) >Exec-Program: returned: 1 > rlm_mschap: External script failed. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > modcall[authenticate]: module "mschap" returns reject for request 48 >modcall: leaving group MS-CHAP (returns reject) for request 48 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 48 >modcall: leaving group authenticate (returns reject) for request 48 >auth: Failed to validate the user. >Login incorrect (rlm_mschap: Logon failure (0xc06d)): [Raduser/User-Password attribute>] (from client localhost port 0) > > > >freeradius-1.1.7-3.1 >samba-3.0.28-0 >samba-client-3.0.28-0 >samba-common-3.0.28-0 > > > >Any help much appreciated, we currently running about 1500 users with this >setup and everything is great save the password issue. > >Thanks > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
